Cultural Cybersecurity

“As more assets are connected to the internet, as more information is stored digitally and more processes are automated — the footprint becomes larger and the risks become larger as well. “

Insightive.tv: What business issues do you see at the primary drivers of your cybersecurity programs?

Jo: Our company is driven by many of the same factors that affect other organisations. The main difference is that our operations span a lot of services. The types of risk and the scale of risk varies within these parameters. A typical mining company would only have one aspect to worry about. We need to follow up on risks on the mining side of the operation, which are probably more geopolitical than further down the value stream where, for example, industrial espionage may be of more concern in regards to high-value customer products.

It is a well know fact, across companies, that employees are also a source of risk. People can click on phishing emails, people can leak documentation. We don’t consider our internal risk higher than normal. But we are always aware of that risk.

Insightive.tv: Do you think cybersecurity is perceived as a technological enabler or a necessary cost?

Jo: It depends on who you ask — there is not a unanimous answer within the company. I think that everyone is aware that it is a necessity. Some people also understand that if we do this right we will be able to provide processes or services that other competitors are unable to do. Cybersecurity also enables the removal of legacy platforms, which can be a barrier and an opportunity.

I personally think of it as an enabler. But we have to respect the fact that it doesn’t come cheap and requires extensive changes in technology and culture. The latter can be particularly difficult. It is not a short-term patch, but rather a long-term change process.

So we have a solution where customers can upload documents, we have a website where people can apply online. But part of the dialogue, obviously, is dialogue — we want to be able to talk to our customers face to face, where they can actually explain and bring their business to life beyond dry numbers that you can input online.

We take a much more holistic approach that requires a broader set of channels, and we use these different channels for different parts of the process.

Insightive.tv: In that regard, would you rank the need to create cultural change as the largest challenge in your role?

Jo: It is certainly an important challenge to face. Depending on where you go with cybersecurity, dealing with legacy systems might be a close second. But raising awareness of the benefits of security and securing a buy-in to cultural change is the barrier that opens up the possibility to all of the other changes — no matter how difficult they are. The rest is just work.

Insightive.tv: Can you describe any of the recent digital transformation projects you have undertaken?

Jo: From a bottom-up perspective,one of our large current programs is to revamp the IT systems with the latest generation of software. This would provide us with a sound foundation for transformation. Real-time tracking and ‘single source of truth’ are typical benefits— all at faster speeds.

This foundation allows us to focus on intelligent automation — connecting assets that were previously not digital into a holistic digital picture, allowing predictive maintenance and further automation. Then we have several digital initiatives to do with business model transformation. These are essentially looking into how we can transform the business model into something that is powered by digital tools, without these tools necessarily defining and deciding what that is going to be.

We are also running extensive tests with cloud computing. I would say that we are active throughout the whole stack — productions processes, support processes, technology components, business process components — we try and be holistic in that respect.

Insightive.tv: Is this shift towards greater digitalisation creating new levels of risk?

Jo: Ultimately, we are just embarking on this roadmap. A lot of this is still in the design phase. But, obviously, it is going to increase the risk picture. As more assets are connected to the internet, as more information is stored digitally and more processes are automated — the footprint becomes larger and the risks become larger as well.

Insightive.tv: How do you measure the return on investment gained through rigorous cybersecurity?

Jo: Trying to make such a direct measurement is obviously challenging because you are attempting to quantify the effects of something not happening. It is even difficult to accurately measure the investment costs because although security spending has a specific budget, the knock on effects of security procedures to the running of the business are amorphous.

Luckily we have a very thorough culture of safety within the company. Our CEO famously says — “if you think accident prevention is expensive, try an accident.” I think that the culture around the business case for cybersecurity is very strong. Our biggest conversation is more around what are we realistically capable of doing.

Insightive.tv: Have new regulations changed your approach to digital transformation?

Jo: You are probably aware that we have our own energy production. That is already regulated by a quite strict set of laws in Norway. Next to that we have operations in Europe and Qatar, which are also regulated. Brazil has its own set of rules. We continually see regulations that both enable us and restrict us moving forward. But this does not necessarily change our digital transformation projects.

Insightive.tv: How about in regards to the GDPR specifically?

Jo: I am participating personally in an EU Commission initiative to improve this set of regulations. In a way, what the EU is trying to do is a very difficult but necessary balance between building an integrated digital market with strong European vendors, and decent protections for the customers. And that is a very interesting compromise that is continuously moving forward.

I would hesitate to say that the GDPR is more important than any other regulation because we try to comply with every regulation. But it is a force driving us to assess how much we are in control of our own information and clean up where there should be any gaps.

I think that the purpose of the EU’s regulatory efforts are good, but it is a very dynamic playing field and it will change continuously over time to find the final balance.

We have projects running at Norsk Hydro ASA to comply and manage these regulations. To me, they are a positive thing because they will encourage us to resolve internal situations that had previously lacked the business case to deal with. The primary example here is cleaning up internal information, classifying it into what is confidential and what is not. We have legacy, we have a pile-up of documents over the years, and GDPR is helping us force ourselves to clean up our document management and make it more useful.

Insightive.tv: Can you elaborate on these projects to improve your internal systems?

Jo: It is a multidisciplinary project. We have legal, HR, intellectual property and IT working together to understand our obligation, what needs to be done to comply, and decide how to effectively allocate resources. The core team is about 8 people. But each member has their own teams with dozens of people working in their areas of expertise.

But, as I said, many of the GDPR obligations are things we are already in compliance with due to local and internal standards. We are a company with deep roots in safety. For example, we recently upgraded several of our systems to modern platforms that are well suited to secure data storage. So, specifically in this regard, new regulation won’t require new systems or new architecture. We just need to make further use of what we already have in place. GDPR is reinforcing changes that we have already put in motion.

Jo de Vliegher is Chief Information Officer at Norsk Hydro ASA. We spoke with Jo to get an understanding of the role cybersecurity plays in IT development, and the preparations being undertaken to meet new regulatory requirements — particularly the pending GDPR.

Norsk Hydro ASA is one of the world’s largest aluminium companies. Based in Norway, Hydro is one of the only integrated aluminium companies. It operates in over 40 countries, spanning the whole aluminium value chain from bauxite mining, refinery, melting to aluminium rolling operations.